Stupid Chinese hackers.

Everyone

Facebook told me that someone logged into my account there from a mobile device in China. I'm on my computer at least 8 hours a day for work, so I got the notification right away and was able to take action immediately.

Maybe that's what I get for logging on from unsecured WiFi at a hotel. I keep my home network locked down tight. Just to be extra sure, added rules to my firewall to block all of Asia and Africa today. Been meaning to do that for a while anyway.

Most annoying part was going and changing all my passwords.

Haven't found any signs of intrusion on any of my computers, which makes me wonder if my Android phone was compromised. I'm very good at keeping a network, and my Windows and Linux boxes secure, I've had years and years of experience doing that. This phone always worries me though, as I have very little experience with Android phones. Don't even know where to begin to see if it's the phone that's been compromised.

Bl8ckr0uter

You could run one of the toolkits on it:
https://code.google.com/p/aft/
viaExtract - Forensic tool for Android devices released | The Hacker News (THN)

I think there was one from SANS as well. Do you run IPtables on your phone? How about AV?

lenell86

Unfortunately, what the say in the news about android surging in threats 400% is not to be taken lightly. Reason why I bought a WP7 instead of android lol.

But getting back on point, FB has an option in your settings to use https by default so if it was on your phone, I believe that still goes over unsecured.

SteveLord

We've been meaning to tell you that we've known your FB password was "password" for a while now.

Everyone

Bl8ckr0uter wrote: »

You could run one of the toolkits on it:
https://code.google.com/p/aft/
viaExtract - Forensic tool for Android devices released | The Hacker News (THN)

I think there was one from SANS as well. Do you run IPtables on your phone? How about AV?

I have AV on it, but never thought to setup IPtables on it. I don't root my phones like a lot of people do, can't afford to break it. I'll have to check out those tools, thanks.

Everyone

lenell86 wrote: »

Unfortunately, what the say in the news about android surging in threats 400% is not to be taken lightly. Reason why I bought a WP7 instead of android lol.

But getting back on point, FB has an option in your settings to use https by default so if it was on your phone, I believe that still goes over unsecured.

Yes I have it set to use https by default. I'm in the habit of typing https for every site I go to, and only use http if https isn't available.

It could have just been a brute force attack on FB too. I was anti-social networking forever and only got an FB account because I got tired of people asking me if I saw what my wife posted on it. Got an account just to keep an eye on her, lol. I registered with an old yahoo account that is my junk mail account that I use for registering for things I don't care about or could potentially send me crap. I'm sure that account is on a bunch of lists. I'll admit I didn't use the most secure password for FB, not like I do for everything else. It was medium strength at best.

JDMurray

It is more likely that your password was simply guessed rather than sniffed?

Everyone

JDMurray wrote: »

It is more likely that your password was simply guessed rather than sniffed?

Quite possible. Been digging through everything else, and nothing else seems to have been accessed. Good thing that was the only place I used that one.

tpatt100

I got notifications that my gmail account was accessed from Thailand a couple of years ago a month after I got my HTC Incredible. Thought it was coincidence but it happened again when I upgraded to my Razr. Changed passwords both times I still think its coincidence though. I read that the Android anti virus programs barely work.

JDMurray

Juniper Global Threat Center finds Android Malware Skyrocketing

ptilsen

JDMurray wrote: »

Juniper Global Threat Center finds Android Malware Skyrocketing

This it totally anecdotal, but we have a mid-size client with about 20 users connecting Android smartphones to the internal wifi. We have a Sonicwall NSA-series firewall appliance deployed using its "Unified Threat Management" services, which includes anti-virus protection of web traffic. Most of the viruses it has blocked in the last month or so are trojan apps for Android.

Again, that's completely anecdotal, but in a network with under 200 nodes, 80% of infections stopped at the gateway are for Android. I find that pretty interesting.

JDMurray

It sounds likes your client needs to wipe those phones (assuming they are owned by the client) and enforce a strict policy about what can be downloaded from the Android Market.

ptilsen

JDMurray wrote: »

It sounds likes your client needs to wipe those phones (assuming they are owned by the client) and enforce a strict policy about what can be downloaded from the Android Market.

Don't even get me started on that client and their security policies.

NOC-Ninja

They're not stupid if they got you. You're crazy to even login into a unsecured wireless. A secured or encrypted wireless connection doesn't make you safe. It does make everybody feels safe with those "secured or encrypted" words.

Chinese hackers are pretty good. They successfully hacked TONSSSSSSSSSSS of US govt agencies and other countries.

Everyone

NOC-Ninja wrote: »

They're not stupid if they got you. You're crazy to even login into a unsecured wireless. A secured or encrypted wireless connection doesn't make you safe. It does make everybody feels safe with those "secured or encrypted" words.

Chinese hackers are pretty good. They successfully hacked TONSSSSSSSSSSS of US govt agencies and other countries.

So did I, in the late 90's when I was a teenager.

JDMurray

Everyone wrote: »

So did I, in the late 90's when I was a teenager.

I hope you are not making that admission on a public Web site from the very ISP that you use to hack from.

Bl8ckr0uter

NOC-Ninja wrote: »

They're not stupid if they got you. You're crazy to even login into a unsecured wireless. A secured or encrypted wireless connection doesn't make you safe. It does make everybody feels safe with those "secured or encrypted" words.

Chinese hackers are pretty good. They successfully hacked TONSSSSSSSSSSS of US govt agencies and other countries.

Fanboy lol.

As far as your "feels safe" statement that is pretty much the entire point of security theater. Making people feel safe.

I was talking to a person at work and ironically the topic of tunneling over SSH came up. He uses tunnels regularly for all sorts of things. I am setting up my SSH server this weekend although with firewalls that do DPI and can open up a SSH session, I wonder how effective it really is. Many NGFWs can detect services running on alternate ports as well (and inspect them). I've been meaning to try something I saw on IronGeek a little while ago:
Joff Thyer - Covert Channels using IP Packet Headers Derbycon 2011 (Hacking Illustrated Series InfoSec Tutorial Videos)

My thoughts are that even if someone sniffs the packets and looks at the header level, all they will see is encrypted traffic. I want to set this up in a lab to see how viable of a solution this is. I also want to mix this with some sort of port knocking and authentication. Baby steps.

Everyone

JDMurray wrote: »

I hope you are not making that admission on a public Web site from the very ISP that you use to hack from.

Sure why not? I'm a moron after all. Come on... I said late 90's, we're talking 15+ years ago. I don't even think the dial-up ISP I had back then exists anymore. Plus it's way past the statute of limitations for anything stupid I may have done back then. Also I've moved 5 or 6 times since then.

Anything I've done since then has been strictly white hat, and most of it has been government sponsored.

NOC-Ninja

Bl8ckr0uter wrote: »

Fanboy lol.

As far as your "feels safe" statement that is pretty much the entire point of security theater. Making people feel safe.

I was talking to a person at work and ironically the topic of tunneling over SSH came up. He uses tunnels regularly for all sorts of things. I am setting up my SSH server this weekend although with firewalls that do DPI and can open up a SSH session, I wonder how effective it really is. Many NGFWs can detect services running on alternate ports as well (and inspect them). I've been meaning to try something I saw on IronGeek a little while ago:
Joff Thyer - Covert Channels using IP Packet Headers Derbycon 2011 (Hacking Illustrated Series InfoSec Tutorial Videos)

My thoughts are that even if someone sniffs the packets and looks at the header level, all they will see is encrypted traffic. I want to set this up in a lab to see how viable of a solution this is. I also want to mix this with some sort of port knocking and authentication. Baby steps.

Im not a fanboy. I give credit where its due.

tpatt100

Everyone wrote: »

Sure why not? I'm a moron after all. Come on... I said late 90's, we're talking 15+ years ago. I don't even think the dial-up ISP I had back then exists anymore. Plus it's way past the statute of limitations for anything stupid I may have done back then. Also I've moved 5 or 6 times since then.

Anything I've done since then has been strictly white hat, and most of it has been government sponsored.

Did you hack into NORAD and play chess on their super computer?

ptilsen

tpatt100 wrote: »

Did you hack into NORAD and play chess on their super computer?

I was assuming something more along the lines of Global Thermonuclear War....

MentholMoose

Have you installed any apps on your phone lately? No source (Android Market, 3rd party stores, cracked APKs, etc.) is completely trustworthy. There are apps with malware that steals FB credentials (e.g. https://www.facebook.com/notes/the-security-pub/fake-facebook-application-that-steals-login-information/10150147835772581 ) so this is a possibility.

What was the IP in the notification email? You can check rDNS, whois records, and even Google for clues. FB is blocked in mainland China and the login may not have actually occurred from there, but rather from an IP that FB thinks is in China. IP geolocation is not an exact science. Logins I've done have been reported by FB with the wrong location (never the wrong continent, though). IP geolocation services automatically guess location based on various criteria so, for example, it may have been a login from a Chinese-owned business in the US (e.g. a net cafe), or a business with an ISP that is Chinese-owned or simply has a strong presence in Asia.

SephStorm

This is why I dont use apps, and I barely update the ones I have (im not reading the "updated" TOS for each one and giving them permissions that are obviously unneeded.) I would be interested in hearing about where I can find good free AV for my Android, and as for firewall, that might be something I would try, but rooting my phone is something im against, for security and contract purposes.

varelg

I think by now it is clear that your FB credentials have been breached rather than your machines. The only FB account that can't be broken into is the nonexistent one.
About those reports on Android malware attacks skyrocketing, of course the competition will launch smear campaign. Win phones and iphones aren't targets of malware attacks? Give me a break...

MentholMoose

varelg wrote: »

About those reports on Android malware attacks skyrocketing, of course the competition will launch smear campaign. Win phones and iphones aren't targets of malware attacks? Give me a break...

Well, cyber criminals do tend to follow the market. For OSs, they primarily write malware for Windows. For browsers, IE (and ubiquitous plugins like Java and Flash Player). For mobile, Android is #1 and thus should be the #1 target. That does not mean Linux/OSX, Firefox/Safari/Opera, and iOS/WP are necessarily more secure, just that they are less likely to be a target.

JDMurray

MentholMoose wrote: »

For mobile, Android is #1 and thus should be the #1 target.

Android is low-hanging fruit--easy to write and distribute Malware for.

Bl8ckr0uter

SephStorm wrote: »

This is why I dont use apps, and I barely update the ones I have (im not reading the "updated" TOS for each one and giving them permissions that are obviously unneeded.) I would be interested in hearing about where I can find good free AV for my Android, and as for firewall, that might be something I would try, but rooting my phone is something im against, for security and contract purposes.

Why do you have a smart phone if you don't use apps? How can you complain about security if you don't even update the ones you have? :


Anywho Droidwall is a decent iptables front in (It doesn't install iptables, it just makes it easy to manage). I have used lookout but I wiped my phone (actually I put a custom rom on it) and I haven't reinstalled it. Also rooting your phone does not void your contract (at least Sprint doesn't care). If I need to send my phone back to them I will just boot back to sense and take my SD card out. It really isn't that hard. I am a little confused as far as your statement for security purposes. Do you think that rooting your phone makes it less secure. Most of the really good security programs require root (including DroidWall) and with the Superuser app, you can manage which apps get to run as root.

It is kind of shocking to hear a statement like that come from you. I thought you would have hacked that thing along time ago

JDMurray wrote: »

Android is low-hanging fruit--easy to write and distribute Malware for.

Relatively (due to the nature of the platform and the nature of the Android Market). But that means it is also easy to get fixes for and (if you know what you are doing) create fixes. TrevE Logging checker app is an example of this.

Webmaster

MentholMoose wrote: »

Well, cyber criminals do tend to follow the market. For OSs, they primarily write malware for Windows. For browsers, IE (and ubiquitous plugins like Java and Flash Player). For mobile, Android is #1 and thus should be the #1 target. That does not mean Linux/OSX, Firefox/Safari/Opera, and iOS/WP are necessarily more secure, just that they are less likely to be a target.

That has been a common and valid argument in Apple vs Windows vs Linux, i.o.w. in desktop OS discussions, for years. Used it several times myself. But, when it comes to the mobile market the argument doesn't hold any water because Android may be the #1 most wide-spread phone OS, many if not most of them never connect to the internet and are not used as "smartphone". iOS also didn't get malware (as far as I know/remember) during the time it was leading (which has a lot to do with Apple's "approval" process).

I would find these usage statistics (first link) much more interesting if I were to pick a popular target:
Browser market share

McAfee threats report: Android is in the crosshairs | ZDNet

http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2011.pdf

So no, Android being attacked has little to do with it being "#1" in anything else than being the easiest popular phone OS to deploy malware on (just stating a fact... I don't have "feelings" towards either "brand"), nor the lack of popularity of others. As Bl8ckr0uter pointed out so delicately: it's due to the nature of the platform and the nature of the Android Market.

TE mobile stats:

JDMurray

Bl8ckr0uter wrote: »

Relatively (due to the nature of the platform and the nature of the Android Market). But that means it is also easy to get fixes for and (if you know what you are doing) create fixes. TrevE Logging checker app is an example of this.

My major concern are apps that are written specifically to be Trojans, and therefore will be no "fixes" for. Staying with apps created only by known software vendors (Google, Facebook, Amazon, etc.) is an excellent policy, as is only installing apps that contain the verifiable certificate of a known software publisher.

Webmaster wrote: »

iOS also didn't get malware (as far as I know/remember) during the time it was leading (which has a lot to do with Apple's "approval" process).

I don't care for Apple's tight-fisted policies, but their app approval process does prevent the distribution of Malware on its platforms. I sure would like to know what Apple's Malware testing procedures are, but good luck with finding out that.

tpatt100

Bl8ckr0uter wrote: »

Why do you have a smart phone if you don't use apps? How can you complain about security if you don't even update the ones you have? :


Anywho Droidwall is a decent iptables front in (It doesn't install iptables, it just makes it easy to manage). I have used lookout but I wiped my phone (actually I put a custom rom on it) and I haven't reinstalled it. Also rooting your phone does not void your contract (at least Sprint doesn't care). If I need to send my phone back to them I will just boot back to sense and take my SD card out. It really isn't that hard. I am a little confused as far as your statement for security purposes. Do you think that rooting your phone makes it less secure. Most of the really good security programs require root (including DroidWall) and with the Superuser app, you can manage which apps get to run as root.

It is kind of shocking to hear a statement like that come from you. I thought you would have hacked that thing along time ago



Relatively (due to the nature of the platform and the nature of the Android Market). But that means it is also easy to get fixes for and (if you know what you are doing) create fixes. TrevE Logging checker app is an example of this.

Not sure if Android is easy to get fixes for, I had to resort to an Android forum to then get directed to some anyonymous file sharing website in order to upgrade my HTC to 2.3 since HTC was taking over a year to push out an update. Most Android phones are seriously lagging in OS updates due to phone manufacturers giving priority to their newest phones.


Also rooting phones usually require methods put out there by "some person" using "some internet name not their own" using files downloaded from "some anonymous file sharing website". Just to get root access to your phone to me means your ignoring plenty of really obvious security practices to get root.

Bl8ckr0uter

tpatt100 wrote: »

Not sure if Android is easy to get fixes for, I had to resort to an Android forum to then get directed to some anyonymous file sharing website in order to upgrade my HTC to 2.3 since HTC was taking over a year to push out an update. Most Android phones are seriously lagging in OS updates due to phone manufacturers giving priority to their newest phones.

The fact that you could even go to a forum and get fixes proves my point. And when I say easy, I mean easy for the type of people on TE not Joe User.

tpatt100 wrote: »

Also rooting phones usually require methods put out there by "some person" using "some internet name not their own" using files downloaded from "some anonymous file sharing website". Just to get root access to your phone to me means your ignoring plenty of really obvious security practices to get root.

Do you really know who is producing the patches when you are dealing with vendors? I mean without outsourcing/offshoring you can't really be sure who is really giving you patches/updates/etc. You know what they are coming from (at least by name) but have you ever talked to a MS patch developer?

For the root patches that I have used I have talked with some on the people who developed to exploits to get root and many people who have used them before me. Of course they could be lying but that is the chance I take. You take the same chance when you deal with any vendor.


I am not saying one is better than the other I am just saying there are risk in everything.